2016 – The Year Ransomware Holds America Hostage

2016 – The year of Ransomware. The Institute for Critical Infrastructure Technology (ICIT) released their report regarding the new hostage taking tactic for cyber-criminals. The new form of cyber-hostage-taking, “is less about technological sophistication and more about exploitation of the human element.” The origins of Ransomware stem from the 1989 World Health Organization’s AIDS Conference, where developer (and biologist) Joseph Popp, “passed 20,000 infected floppy disks” out at the conference. At the time, this “AIDS Trojan” malware was nothing compared to today’s cyber-threats. In the early millennium, cyber-threats were aimed to steal information, physically harm systems, or financially profit.

Several cybersecurity firms (including: Kaspersky, Covenant Security Solutions, Forcepoint, GRA Quantum, Trend Micro, and Securonix) believe that ransomware attacks will increase in 2016. Anyone is a target, and every system (personal computer, mobile devices, servers, IoT [Internet of Things – devices, vehicles, buildings and other items] Devices are at risk. It is important to understand today’s cyber-threats, and how to prevent it from happening at work, or at home. Listed in Appendix A of the ICIT report are the File Extensions and Identifiable Notes and Appendix B lists current domains for Locky ransomware (described below under Crypto Ransomware).

Listed are the descriptions of the types of Ransomware that have been used:

  • Locker Ransomware

“[T]ypically spread through social engineering, phishing campaigns, and watering-hole sites. According to Symantec, about 36% of binary-based ransomware detected in 2014-2015 was locker ransomware. The Computer lockers restrict user access to infected systems by either denying access to the user interface or by restricting the availability of computing resources. Certain capabilities, such as numeric keyboard functionality, might remain unlocked while the rest of the keys and the mouse are locked. This design increases user frustration while restricting user action to following the attacker’s instructions. […] Locker ransomware usually leaves underlying files and systems unaffected; instead, it only restricts access to the interface. This design also means that locker ransomware can often be removed easily by restoring the system to a restore point or by deploying a commercial removal tool. In the previous analogy, this is akin to removing the door to access the contents of the room.”

  • Crypto Ransomware (as seen in the blog image)

“Instead of restricting user action by denying access to the user interface, Crypto ransomware targets the data and filesystems on the device. The critical system files and functionality tend to remain unaffected. The victim can use the computer to do anything except access the encrypted files. Crypto ransomware often includes a time limit, after which the decryption key may or may not actually be permanently deleted if the victim does not pay the ransom on time. People do not think rationally under time limits; as before, the cyber-criminals are compensating for a lack of technical sophistication by leveraging human behavior against the victim. The victim is subject to the anxiety of the ticking clock, the fear of the consequences of making the wrong decision, and the fear of regret if the data is lost forever.”

♦ Two active types of Crypto ransomware are Locky and TeslaCrypt/EccKrypt

  • Locky
    • Encrypts files “with RSA-2048 and AES-128 ciphers” that are spread through spam e-mails “containing Microsoft Word attachments.” After the user has been infected, the malware “deletes backup shadow copies of the operating system.”
  • TeslaCrypt/EccKrypt
    • “Infects systems through the Angler expoit kit, which leverages vulnerabilities in Adobe Flash. Silverlight and Internet Explorer may be exploited in absence of Adobe Flash.”
  • Hybrid Ransomware

“One of the prevalent malware mitigation strategies is a layered depth. It stands to reason that in accordance with the concept of mutual escalation, attackers will begin to “attack in layers.” This behavior already occurs in APT (Advanced Persistent Threats) campaigns and in some ransomware attacks, where for instance, the adversary launches a DDoS attack alongside a more concerning attack. In terms of ransomware, it will be interesting to see if locker ransomware resurges with cryptoransomware running behind the scenes. Layering the types seems unnecessary now, because victims often pay and because neither security researchers nor law enforcement can break the strong encryption used; however, if either of those cultures change, then locker ransomware, which prevents most user action, may return with controls borrowed from crypto ransomware.”

Infections are delivered to computers through the following channels:

  • Traffic distribution system (TDS)

           Often through sites known for adult content, video streaming, and media piracy.

  • Malvertisement

Like TDS, ads redirect users to webpages that appear to be trusting.

  • Phishing emails

Considered as the classic old-fashioned way, attachments and links. “Attackers only need a single user within an organization to click on the malicious link or attachment in order to compromise the network.”

  • Downloaders

“Malware is delivered onto systems through stages of downloaders to minimize the likelihood of signature based detection. Rasomware criminals pay other threat actors to install their ransomware onto already infected machines.”

  • Social engineering

Popp’s way of infection (through infected floppy disks) depended on, “social engineering, and human ignorance[.]” Users had to infect their own machines, in order to receive the warning. 

  • Self-propagation

Applications are downloaded “from an app store or […] spread through an initial victim’s contact book via SMS (short media service) messages to other systems.”

  • RaaS (Ransomware as a service)  

A “creator” is hired to produce a script kiddie where clients download for free (or for a nominal fee), set a payment and a deadline. Once set, the client attempts to trick victims to infect their computers through phishing (most of the time). If successful, the creator receives cut of the profit, usually “5-20%,” while the client keeps the rest.


Corresponding HSDL Feature Topic Lists include:

Other resources regarding Cybersecurity can be found on HSDL.

Please note that login may be required to view particular resources.


Article formerly posted at https://www.hsdl.org/blog/newpost/view/2016-em-the-year-ransomware-holds-america-hostage-em

Scroll to Top